Resilience of critical infrastructures: A sovereignty issue
On 4 June, the FIC, in partnership with the CDSE, organised a virtual morning dedicated to the protection of essential basic services. Prey of choice for ever more ambitious and aggressive attackers, their cybersecurity is a major resilience issue for states, their populations and their companies.
Cyber risk costs $10.5 trillion and is growing by 15% every year. If it were a country, its economic weight in GDP equivalent would rank it 3rd in the world, behind the United States (GDP: $18,330bn) and China (GDP: $12,900bn).
The public sector and businesses remain the priority target for cyber criminals, with 90% of French companies (43% of SMEs) having experienced a cybercriminal incident in 2019.
Beyond strategic threats, espionage, and supply chain attacks, ransomware is the main malicious act observed, with local authorities, healthcare stakeholders, and industrial actors being the main targets. In 2020, the number of ransomware attacks has quadrupled versus 2019.
Critical infrastructures are therefore not spared. With these essential basic services (energy, defence, health, transport, food production, etc.), which affect populations to a very large extent, hackers have an extremely strong means of pressure on states and companies.
Annick Rimlinger, Director of Safety & Security, Cyber & Data Protection at Aéma Groupe, and Director General of the ‘Club des Directeurs de Sécurité des Entreprises’ (CDSE, or Club of Corporate Security Directors), also notes that cybercriminals are constantly and relentlessly attacking critical infrastructures by compromising their ICS (industrial control systems) and SCADA (supervisory control and data acquisition) monitoring and alarm systems, which are themselves insufficiently protected.
Short-sightedness soon to be sanctioned
“These attacks are becoming increasingly sophisticated, and their impact surface is expanding as these critical infrastructures migrate to the cloud and are connected to mobile devices and smart objects,” she said.
For the legal think-tank ‘Club des Juristes’ (Lawyers’ Club), a global awareness of cybersecurity is therefore essential. It has issued 10 recommendations, including making the fight against cybercrime a national cause for 2022 and encouraging sanctuary states to put an end to the impunity of cybercriminal groups.
“It is urgent that managers equip their companies with an effective cybersecurity policy, while respecting the data protection requirements.”
At the supranational level, the European Commission also intends to strengthen cyber resilience within the EU, including through a proposal to revise the Network and Information Systems Security (NIS2) Directive.
Presented in December 2020, the text calls for new obligations on providers of “essential” and “important” services in critical sectors, including reporting of cyberattacks, implementation of security policies, security analysis of providers, and use of encryption technologies.
The 27 MS must (better) protect their critical entities
“With NIS2, company management will now be held accountable for not meeting their obligations to monitor and manage security risks,” warns Rimlinger.
Alongside the new directive, the Commission also intends to strengthen Member States’ obligations regarding the resilience of critical entities.
Indeed, the evaluation of NIS1 shows the lack of homogeneity among the 27 MS in the implementation of the regulatory requirements: “The Directive’s monitoring and enforcement regime is ineffective,” points out the European executive body. “There is a huge variety in the financial and human resources deployed by Member States to perform their tasks (such as identifying or supervising OES) and, consequently, in the levels of competence in cyber security risk management.”
The EC therefore proposes another directive to “enhance the resilience of critical entities providing essential services in the EU”. The 10 sectors covered would be energy, transport, banking, infrastructures, financial markets, health, drinking water, waste water, digital infrastructures, public administration, and space.
Aligned with NIS2, the scheme provides that “the Member States will need to adopt a strategy on the resilience of critical entities, conduct national risk assessment, and identify which operators are ‘critical entities’ on the basis of the outcomes of the risk assessment.”
These critical entities should also conduct their own risk assessments, take appropriate technical and organisational measures to build resilience, and report disruptive incidents to national authorities.
The aim is to “create an all-hazards framework to help Member States ensure that critical entities are able to prevent, withstand, absorb, and recover from disruptive incidents, whether caused by natural hazards, accidents, terrorism, internal threats, or public health emergencies such as the one the world is facing today,” concludes the Commission.